tv Today in Washington CSPAN June 13, 2013 6:00am-9:00am EDT
>> we are going to examine the efforts to protect the american people from cyber threats. to protect our domain. we need to make sure that the american people know what a programs on, no, we're spending our money for, and also to make sure that we make wise use of taxpayer dollars so that there are no boondoggles. we hope to make sure we not have the private sector and to protect dot com by real information, real-time information sharing about threats and helping the private sector develop the secure technologies we need. we need to prevent hackers, nation states and criminals from stealing their cyber identities.
cyber espionage, cyber sabotage against our online commerce for our critical infrastructure. track and distract hackers and prosky them and possibly or i i have to goals with his finger first, i'm going to make sure we protect the american people from cyber threats by working together across the government to protect, as i said, the domains of trenton, dot gov and dot com. second, i want to examine the agencies will use cybersecurity funding in the budget. the administration is requesting over $13 billion for fiscal 2014. in this very stringent environment we are concerned about techno- boondoggles. the government is often very good at spending money but we need to make sure we spend the money well. over the years there have been failures and inefficiencies in government i.t. programs and we
don't want to happen as we move forward in this cyber domain. i call this hearing as the full committee chairwoman to work across the subcommittees to make sure there aren't stovepipes, to make sure as we look at this the questions whenever there to governance, are we developing the right technologies to protect us, are we investing in the work force we need, and how do we protect our civil liberties. i am so proud of my subcommittee chairs. i want to acknowledge the work of senator durbin and the ranking member cochran on defense. i want to acknowledge the work of chairwoman landrieu, and her ranking member, senator coats. both have a great deal of expertise. for me, we will have the fbi and my great vice chairman senator shelby. this is a committee that is loaded with talent in this area.
coming with enormous expertise from the authorized committees. we have senator leahy from the judiciary committee, well-versed on the issues on cybersecurity and a staunch protector of our civil liberties. we have chairwoman feinstein on the intelligence community. on armed services we have three. with the former chair of the homeland security committee, senator collins, herself a member of the intel committee. where has the committee had so much talent coming together from both, those of us from appropriations as well as the authorizers? i hope that our country has a sense of urgency. we are already under attack. this is the new enduring war. we are in a cyberwar every day. every time someone steals our identity, steals our state secrets or trade secrets, we are
at war. we now see the growing nexus between cybercriminals and nationstates, hacking our networks, planning disruptions of our business operations. director mueller of the fbi said that cybercrime or -- will eventually pass -- surpass surveillance. secretary hagel and general dempsey continued to warn us against cyber as an insidious threat. these are such critical concerns that the president, president obama in his recent meeting with the chinese president raised cybersecurity as one of our great, great international tensions between both countries. now, last year we tried to pass cybersecurity legislation. we all work and a bipartisan basis. and women to the columns lieberman bill.
it didn't happen. the president issued an executive order and the just because authorizing hasn't happened doesn't mean that nothing is happening. so in february the president signed his executive order, and it improves real-time information sharing, protect critical infrastructure, provides critical infrastructure and cyber risk and brings private sector experts into the federal service. each one of these goes to a different subcommittee. but here today we're going to do something pretty different. and i bring to your attention the president's fiscal '14 budget on the areas of cybersecurity. this will be the first time in one place that we can look across all of the areas to make sure we know what the request is, what they are, not only at individual agencies, but do we get the synergistic effect necessary to protect our country to a significant that this
document that you all have, which is a public document, that we have in one place, one stop shop, and really what this, what the president is requesting. the president of the united states in his budget message to congress has asked for $13 billion in order to execute the cybersecurity strategy across the agencies of the federal government. the purpose of this hearing today is to look at the cybersecurity threat. not every program from the national security agency, not every program being run by homeland or the department of justice, or the great work being done by nist. it is the focus on the cybersecurity. but it is a committee first, and i might say, a senate first. no other committee has tried to
hold a hearing across, across the different domains, agencies, and smokestacks, and offered to do it in an open, public way. and experts as i said here from both the subcommittee chairs and the authorizers, is stunning. so we know that we're going to be able to do it. the president has asked for $13 billion, 9.3 billion in the department of defense, 1.3 billion in homeland security, 670 million in justice, primarily the fbi and nist, 215 million. nist has never seen 215 billion. that's the defense guys. today we'll hear from our governments lead people in this. general alexander, the director of the national security agency and the head of cyber command. rand beers, the acting japanese
director terry a palmistry. dr. gallagher, the acting deputy secretary of commerce by the director of nist, and richard mcfeely, assistant director in charge of criminal cyber and response and services branch. i also want to acknowledge that in the last several days many intelligence issues have been in the press. i understand that these are issues that are very much on the public's mind and members of the senate. last week, with the attorney general, this topic, take our surveillance program, came a. i pledged to senator shelby, a former chair of the committee, well-versed on the topic, not of the surveillance but on this, that we would have a full
committee hearing on that particular program. that's not today. that's for another day. i understand that our colleague, senator feinstein, the chair of the intelligence community, has scheduled a briefing for all senators tomorrow. and this is the second hearing that senator feinstein has opened up the intelligence community for a briefing for all senators to be able to participate. after the feinstein meeting tomorrow, if senator shelby continues to recommend that this committee hold a hearing on this matter, i will be happy to comply. and i pledge that to you. i did last week, and so on. but we will see if it's necessary. and if it is so we certainly. said at a single focus on cyberthreat, protecting the american people, protecting the taxpayer in the role both as citizen and taxpayer.
i hope today hearings will focus on this very important issue. and i say to my college, this is a committee hearing that is a first. it will be not the last on this topic or other matters related to our national security. i no one to turn to my ranking member, senator shelby, who has been active on this matter, the vice chairman of the committee, former chair of the intelligence community. senator shelby. >> thank you, madam chair. as you pointed out this is a very important hearing on a topic that demands significant congressional involvement. the cyberthreat as we all know is increasing and becoming more challenging as our adversaries grow bolder and more capable. we've seen recent and stark reminders of the threat with constant cyberattacks on the financial sector. the chinese hacking of "the new york times" and "wall street journal," iranian attacks against the saudi oil companies,
and reporte reports that informn our most advanced weapons system were stolen by the chinese. earlier this year, and information company reported chinese attackers are running extensive cyber espionage campaign with the likely support of the chinese government. more recently the same company exposed iranian hacking in the u.s. these troubling developments remind us about virtually we need to coordinate effort to counter, to respond to these attacks. madam chair, this committee may be the only one with jurisdiction over the full complement of government organizations involving cybersecurity. therefore, as you pointed out, i think it's appropriate that we take a lead role in the oversight in this effort working with others. i would like to hear, for example, how each of you today perceive the threat, and about your continuing efforts to protect critical infrastructure against attack and to address
the cyberthreat outside the recently issued executive order. cybersecurity is an immediate priority, but the framework and vision in executive order will take time to develop, and probably even longer to implement. there's still areas that need more attention and may require legislation. such as information sharing. additionally the working relationship between the government and the private sector is still a work in progress. funding requirements also remain unclear in this time of fiscal uncertainty. clearly, a lot needs to be done. i look forward today from hearing from our panel of witnesses, and perhaps they can say some of the best way to protect government systems and information as you partner with industry to strengthen our cyber infrastructure across the board. thank you, madam chair. >> thank you, senator. now we'll turn to our witness
panel. and then we'll go to questions starting with myself and senator shelby, and then the regular order that we followed in the order of arrival. i would like to suggest that general alexander go first, followed by mr. beers, mr. mcfeely representing justice, and dr. gallagher, you are the wrath of god. general alexander, the microphone is yours. >> thank you very much. i think what you and senator shelby have pointed out with respect to cyberspace is absolutely important for us to discuss. the threats that we face today continue to grow. you know, it takes for the government a team to work this -- before going for the i do want to point out that the team is here, and it's great to be part of that team. because no one government department or agency can do it itself. for us it's going to take a partnership between homeland security, between the fbi, and with support of nist and
especially on executive order that senator shelby brought up, for us to work together. when i look at what's going on in cyberspace and the capabilities that are growing, this is an incredible opportunity for us as a nation and the nations around the world. the technical capabilities that we have when you look at what our children are using, the iphone, the i've had come to philly for education, this is a tremendous time. when you look at what we can do with this with respect to medical care in the future, it is a bright future for us. but it's complicated by the fact of cyber espionage, by cyber hacking, at the threats that senator shelby talk about. so do want to hit on the. you mentioned the evolution of this threat. we look at the threat as it is gone forward, some of the things that fbi and we see in the department of homeland security work every day is a series of explications into our networks.
the issue is how do you fix that? and that issue is complicated by the fact that it's not only exploit potions -- exploitations but wishing disrupted attacks against our nation's infrastructure, wall street, with the potential for destructive attacks. we as a nation need to step forward to say how are we going to work this. a government team that is here today cannot do it without support from industry. we have to have some way of working with industry. because they own and operate the bulk of our nation's infrastructure. we have to do it in a transparent way, in a legal way, and we really appreciate the efforts of many on this panel, senator, for what you and put others at done to try to move that legislation alone. but we do need to get there. we do need to have a way of working with industry. and dr. gallagher i know we'll talk about parts of this. we couldn't have a better person to lead it from a nist. so thanks for what you and the team are doing. we do need to begin a dialogue
within industry. so part of what executive order does is give us that opportunity to have that dialogue. but the same time went to look at what we need in legislation and get that moving forward, so senator, thanks for what you and what the intel committee are doing to move that, and others. from my perspective, senator, you asked what is it we need to do. i think there are five key things we're working on. first, we have to create a defensible architecture. both the intelligence community and the defense department are moving forward on what we call the cloud architecture. a joint intelligence, joint information environment for the defense department, and the intel communities i.t. environment. same thing for both communities in moving forward to what is a more defensible architect, architecture. i think we need to move there. so that's the first thing. second, we need to be able to see what's going on in
cyberspace so that we can work with industry. and amongst ourselves. because in getting information after an attack only allows us to police it up. we have to have some way of stopping it while it's going on, so we need to be able to see it. we need a constant for operating within cyberspace, not just within the defense department but amongst all three of us because we all have a role in this. we all play vital roles from the department of homeland security's role for recovery and working with commercial industry, to the fbi's law enforcement investigative things to the defense department responsibility to defend the nation. where to bring those together, and then reach out to say, now, how is that going to work within industry, and how can we share information that is vital to our common defense? we have to do that. we need trained and ready forces. i think that is one of the most
important things that congress expects of me, of cyber command, and the nsa to, within the department, to create trained and ready forces that are trained to a higher standard. both on the defense and on the offense, those capabilities that our nation needs that are trained to that standard that know how to operate lawfully, to protect american's civil liberties and privacy, and to protect this nation in cyberspace. we have to be able to do all three. and we have to have a capacity to act when authorized. the rules of engagement and the other authorities. we are working those life. from my perspective -- those five. the men and women of cyber command and nsa, we have tremendous technical talent, we really do. these are great people. our nation has invested a lot in these people. they do this lawfully. they take compliance oversight protecting civil liberties from
privacy, and to secure the of this nation, to their heart. every day. i could not be more proud of the men and women of nsa and cyber command. what we now need to do is take the next step in moving that forward. that's all have at this time, senator. i will do for now to my colleague, mr. beers. >> thank you, general alexander. chairwoman mikulski, ranking member shelby, and other distinguished members of the committee. we all welcome this opportunity to appear before you. as you said, senator mikulski, this is a unique opportunity to talk about the range of cybersecurity activities across the government, and we welcome the. as most of you know, cybersecurity is one of the five major missions of the department of homeland security, and one that we take very seriously. the threats that we face are
varied and serious. and in that regard, our mission focuses in two primary areas. they are to protect the federal civilian networks, and to work with the private sector to protect america's critical infrastructure. in that regard and as chairwoman mentioned, the president's policy, initiatives for the year ahead, artistic your federal networks to protect critical infrastructure, to improve incident response, to engage internationally and to shape the future. with respect to the first this is one of the major areas that dhs is responsible for. we are investing about $600 million in protecting federal networks through our interest in protection systems, and to our continuous
diagnostics and mitigation systems. but we are also working heavily with america's critical infrastructure, both public and private. we are working under the executive order with our partners in nist to create the cybersecurity framework. and this is, as you know, and important initiative on our part. executive order as you know is the administration's effort after an attempt to get legislation last year. that isn't to say that we still aren't interested in getting that legislation, and that's certainly something that we want to talk about in the time ahead. in addition to that, we are working to improve incident response, working with our partners in the fbi and with the national security agency. this is a one call to all initiative in which we work
together both in our headquarters in our operation center, in terms of sharing information, and where we worked together in the field in the deployment of teams to go to particular sites of particular incidence in order to determine what happened and in order to be able to provide information to other parts of the private sector that will help them prevent the same kind of incident from occurring. we are also involved in the international area with individual countries and partners around the world, but also with the european union as well. while it is a small program within the department of homeland security, it is a very important program and we have a lot of key partners that we work with. and that's just in terms of the engagement, in terms of face-to-face. entrance of the information sharing, our whole incident response structure, the national
cybersecurity communications integration center, on a regular basis shares information internationally with other readiness teams around the world in order to do with them what we do for ourselves nationally in order to protect cyberspace around the world. and, finally, we work in terms of our research and development and other activities to try to shape the future. this is an important effort that's ongoing, one in which, as general alexander said, we couldn't do if we were doing it individually in dhs. it takes all of us here at the table to make this work, and i want to thank you for the opportunity to speak with you today, and to talk about dhs programs and our team worked together. thank you. >> good afternoon, madam
chairwoman, ranking member shelby and members of the committee. it's difficult to overstate the potential impact cyber threats posed to our economy, our national security, and the critical infrastructure upon which our country relies. that's why the fbi, along with our key partners sitting at the table here, are strengthening our cyber capabilities in the same way we enhanced our intelligence and national security give abilities in the wake of 9/11. i want to talk briefly about what the fbi's response has been, but i ago both of these two gentleman's comments that this is a whole of government approach when it comes to addressing this issue. in the last year within the fbi we have undergone a paradigm shift in how we conduct cyber operations. while we previously watched, collected information, and add it to our understanding of the adversaries intentions, we did not always take action by seeking to disrupt of them as we might in a counterterrorism
case. we are now working with our partners successful disrupting and impacting the individuals find the keyboard who have made it their mission to attack, steel, spot and commit terrorist acts against our nation and its citizens. instead of watching foreign countries steal our intellectual property, we are going up to companies and trying to prevent it. for example, working with the dhs we know reaching the provide private industry in our law enforcement partners overseas with ip addresses that are responsible for launching attacks against our country. just last week the fbi microsoft, and the financial services industry conducted separate coordinated operations to successful disrupting more than 1000 botnets. networks of compromised computers that have been infected with a malware known as the detail. the botnets were part of a massive global cybercrime operation, estimated to be responsible for more than half a billion dollars in financial
front. these actions are part of the largest government strategy strategy led by the national cyber investigator joint task force, or in cig tf to target botnet great attitude. example figh five how the fbi ar partners are using private public partnerships both domestically and internationally to protect the public from cyber criminals. at the transit which serves as -- among 19 u.s. into international agencies, the government is committing its efforts at an unprecedented level. this coordination involves senior personnel at key agencies. while it is led by the fbi, it now has deputy directors from national city agency, dhs, cia, and u.s. cyber command. we must recognize that to work together we have to make sure that we keep this and surpass
the capabilities of our cyber adversaries. as general alexander described earlier, the leaders of the fbi, dhs and nsa met last fall and clarified the lanes and the road to cyber just taking it and i believe the collective opinion among the worker levels is that there is now an unprecedented level of cooperation not seen since the immediate post-9/11 era. in addition to strengthening our partnerships in government, we have significantly enhanced our collaboration with the private sector. as part of that outreach we've begun to provide industry partners with classified threat briefings and other information and tools to repel intruders. among these tools i is a new platform we're developing for trusted industry partners to report cyber incident to all of government in real-time. known as iguardian it is based on a successful guarding terrorist threat tracking and collaboration system to help
after 9/11. we are also developing an odd made a malware analysis tool to which law enforcement and industry partners could submit samples of malware for triage and analysis. we expect an unclassified version of this system to be piloted with the private sector this fall. and while we have been primary focus on cyberintrusion, which we see as the greatest cyber threat to our national security, we are working with our state and local law enforcement partners to identify and address gaps in the investigation and prosecution of internet fraud crimes. the fbi, the secret service, should not bear all responsibility for this. we believe that there is a huge space for state and local partners to join us in this fight. to address these gaps we've developed a pilot program in collaboration with international chiefs of police and other law enforcement organizations to enhance the internet fraud targeting packages that the fbi's internet crime complaint center currently provides the
state and local law enforcement for investigation and potential gaza keeshan. i thank you for the opportunity to be here today, and look forward to answering questions. >> dr. gallagher. >> chairwoman mikulski and vice chairman shelby, members of the committee, it's a distinct pleasure to be here today to join my colleagues to talk to you about cybersecurity. since i met batting cleanup i want to touch quickly on just two topics. first is the all of government approach. good teamwork is based on planning your position. and the nist position is based on our mission. we are a management science and standards organization, and our role is to support industry. the owners and operators of this infrastructure as they respond to the information that they get from our intelligence community, from our law enforcement team energy, from homeland security. this is a top priority for nist,
and our 2014 budget request is $24 million increase to cybersecurity r&d programs at nist. this is on top of making our total investment of 68 million. this funding enables our r&d performance in a number of critical areas including the national initiative for cybersecurity education, an interagency effort, a national strategy for trusted identities in cyberspace, the national cybersecurity center of excellence, and implementation of executive order 13636, improving critical infrastructure cybersecurity. secondly, i would like to give a quick update on the executive order. as many of you know under the order nist have been directed to work with industry to develop a framework of cybersecurity practices, methods and so forth that supports the performance goals established by the department of homeland security. for this to be successful, two major elements have to be part of the approach. first is an effective
partnership between the agencies, and that is occurring. in fact, we memorialized this with a memorandum of understanding between dhs and nist, and with close working collaborations with my colleagues here. and cycling for cybersecurity framework must be developed through a process that is industry led, open and transparent to all of the stakeholders. because by having industry develop their own practices that are responsive to the performance goals, that we end up with an output that is technically robust because it draws on their expertise, and it is aligned with business interest and practice. this is not a new or novel approach for nist. would utilize a similar approach in the recent past to address other national properties including smart grid and cloud computing. madam chair, i appreciate the challenge before us. executive order is very aggressive in the time for the framework process that is to be developed within one year. the first draft is due in 120 days. today marks the halfway point in
the process. we have issued an supportive of this effort our request for information and that gathered input from industry and other stakeholders. we have held the first two of four planned workshops to support this process and we will use these workshops to finalize and develop the framework because it is this type of approach that allows us the appropriate level of collaboration and engagement within industry. in may, we released the initial findings and the early analysis from the request for information. that release marks the transition from sort of gathering facts actually building the framework. at eight much will have an initial draft of the framework including an initial list of standards, guidelines and practices, and then following that we will work with our agency partners to finalize the framework. even after the framework is done, the work is really only just beginning. adoption and use of the framework is going to raise new issues to address. the goal at the end of this process is for industry to adopt
the framework of themselves. so becomes an ongoing process that enhances cybersecurity. the president's executive order lays out and urging and ambitious agenda. i wholeheartedly that partnership is the essential ingredient for its success. and short the cybersecurity challenge both in the dot gov and dot com great in their been active collaboration between public and private sectors it was the only way we can meet this challenge. leveraging both sides, roses once those and capability. we have a lot of work and i look forward to working with this committee to make it happen. thank you. >> thank you very much, dr. gallagher, and all, all four witnesses. today, the way we will function as we will follow the five minute will. we will go in order of arrival. we also know that this hearing
does not preclude the subcommittees from also continuing their own hearings where they will even probe more deeply. and also, after we have concluded all of our questioning, we will also understand that there will be certain aspects in order to drill down, we will also have an additional classified for him -- classified forum. but now and we will have a full and open session, not precluding further hearings by the subcommittees. general alexander, well, to all, just to reiterate the president's budget, the president has requested 9.2 billion for defense, 1.2 billion, almost 123 billion for homeland security. for all of justice including the
fbi, 589 million, 215 million for commerce primarily in nist, the national science foundation, 197 million, gsa 50 million, department of state 37 million. when one hears 13 billion, that is a lot of money. however, we are in an enduring war where our citizens are under attack from identity theft to state secrets, trade secrets, business secrets, et cetera. our question today is, 13 billion adequate in the various areas? and going, and number two, when we spend 13 billion, will they also avoid the kind of things where sometimes we throw money at a new problem, sometimes and often we have what i call techno boondoggles. we've seen at the fbi. we seen at homeland security in
the past. we've seen at dod. so this is what we're doing. but let's go right to the president's request, and the purpose. but as i understand from the administration's priorities, the administration's priority if you look at the budget statement to us, two of the third networks complete the example and make sure our networks are safe and secure. we have critical infrastructure, improve incident response come engage internationally. number three, shape the future. general alexander, you will be getting, if we pass this budget, the request is $9 billion. i understand that 3.5 will be to protect the dod network. we understand that, but what will you use the other 5.8 to do, and how will we get security for that dollar? and avoid the problems of the
past? >> well, thanks, senator. it is a lot of money and i can tell you that from our perspective what we are talking about here is not just protecting our networks, but developing the forces that we need. support of that money goes for training and outfitting the teams at cyber command and our components need. part of that money goes to the information and assurance in fixing the networks, hit a part of that, in developing future architectures. so when i look at this, from my perspective, i believe this is right, the right amount. i know the administration and the defense department has already looked internal to this budget to see where we can take cuts, and we did. we cut it back to what we thought was the minimum that we could use and still do this job. you pointed out, senator, that for the defense department our job is to protect the nation and our networks. in building up the infrastructure that we need, both within dod and amongst the
services, and cyber command, that's what a 5.8 billion goes. so it's split across all those. it doesn't go to one law. the health beach of the services do their missions. 2.17 billion as you pointed out and others ghost in a safer doing the job and is part of the intel he neared his budget. factual in there as well. 582 million goes to u.s. cyber command, and that's for five key areas. teams, setting up the teams, training our teams, starting the military construction to have a place to house these teams for our headquarters, and for research development, training, another 68 million. so i think it is the right number. i think we've looked at where we can take savings, and have been that. i also think it's important to state that the department is this as an area, help ensure the
nation is ready as we look at the rest of our force posture. >> let me just follow on question. in your testimony, this goes to protecting critical infrastructure, and obsession i think of this committee is something that is concentrated on very keenly when we're working on authorizing legislation under lieberman collins, or collins lieberman, are now collins and a lot of us. but in your testimony, sir, you said from zero to 10, in our capacity to defend our critical infrastructure, you rate us at a three. a three. at three to protect our great, a three to protect our financial services. and my question then is the money that you're getting, i understand homeland security is supposed to protect us against domestic threats. where do you come in and where
does homeland security coming in? and is part of your money also used to do the services to support them? >> well, we do work together but our money is there, not overlapping in this case, as you point out. specifically the defense department has two sets of roles and responsibilities here. one, to build operate and defend the dod networks. that's the one responsibility, and that's a big cost because that's our forces global. and that's the biggest bulk of the money that is here. the second part is to develop the teams to defend the nation from a cyber attack, and that's were we coming. now, we work with the dhs, we work with fbi in setting up the op centers and funding and supporting the arts centers so that we can communicate amongst us. but dhs has that responsibility work with industry to set the standards to work recovery and that part.
fbi has the responsibility to do law enforcement investigation. we have the responsibility on the nsa site for the foreign intelligence and to defend against an attack. so what we're doing developing the capabilities in the teams. we are still going to need legislation to do those operations. >> i could a follow-up but i'm going to turn to senator shelby. >> thank you, madam chairman. dr. taylor, i will dress my first question -- dr. gallagher, i will address my first question to you. can you explain since nist has been passed under the developing -- reduced cyber risk for critical infrastructure, can you explain how the nist process will work, how to development of a framework to reduce cyber risk differs from the development of standards to reduce such risks? and what do you believe will compel private industry, which i think is so important, to implement the framework that is developed? and given the evolution of
technology that you are very much into, all of you, generally in cyberthreat specifically now, how useful is the department of a broad-based generic framework, long-term? will nist just be chasing its tail so to speak? or will you be able to get ahead of the curve? i would be interested in you to share your thoughts are, have a framework and the standards and so forth will apply, or could apply. >> well, thank you very much. -- >> i know that's a mouthful. >> i'm going to do my best to the idea behind the framework is very simply to get industry to develop a set of practices, standards, methodologies, whatever it would take that if implement it would improve cybersecurity performance. so we use the term framework as a term of art to refer to whatever you were put into place
that would result in enhanced cybersecurity performance. that would include a large measure of standards, and the idea behind having industry do it with nist asking as a technical supporting role in the convener, has a couple motivation. first of all, it addresses the capacity to industry is the one developing i.t. technology and communication technology, and, therefore, they know where this technology is going and they can bring that skill and expertise into the process to develop these standards. secondly these companies, this internet is a global infrastructure. these companies operate at a global scale. and by embedding security performance into the products and services themselves, we can, in fact, achieve cybersecurity performance that's much broader than our borders, much broader than what we would buy directly. it gives our companies the power to shape those technologies around the world.
in terms of chasing our tail, i think at a time when this technology is moving so quickly and when the threat environment is changing right in front of us, this is going to be an ongoing challenge, but i think the bottleneck can't be missed. we are simply not large enough to support this on our own. our role really has to be viewed as giving up industry come up with a vehicle where they can organize and be responsive to this trick that is the only way sufficient technical capacity can be brought to bear, in my view. >> let me pick up on that, if i could. the executive order, as i understandit, discusses the develop of a broad framework which, presumably i would think, means it would be generic in order to have broad applicability. to all critical infrastructure sectors. but i will, doctor, a generic framework address the inherent differences in our critical
infrastructure and unique needs for being protected against cyber attack? in other words, we're not addressing sector specific needs, how can we be sure that we are actually helping protect any of these industries from cyber attack? and lastly in the same thing, how do you bring industry on board? >> they have system, trade secrets, foremost, everything, you name it to protect. the government will have to protect those, and should. how will that work? >> so, you're exactly right, and i think the challenge, the question you asked about, you know, industries capacity to come together and carry this out is actually the central question. how generic and have sector specific this framework looks is, in fact, the exact question that the participants in the framework for tackling. the good news is that inspite of
a strong differences across sectors looking at energy or agriculture or transportation, so forth, they are dependent on a core set of documentation and i.t. technologies. one of the big advantages they had working together to set a common platform is that they can drive that performance into the market, and they can buy these computer services and i.t. equipment at better cost because they're helping to shape the entire market. that really gets to one of the questions you raised earlier which is how to drive adoption of this framework. i think the bottom line is doing good cybersecurity has to become good business. in the end of this is all going to be about alignment. these framework practices have to be compatible with profitable and well run companies. and that's really, it may very well turn out that the framework discussions are more about management and business practices than they are about technical controls and that's
okay if it helps us achieve the level of performance we are looking at, looking for. >> thank you, madam chair. >> senator leahy. >> thank you, madam chair. i've had a lot of concerned about section 215 of the patriot act. section 702 of the foreign intelligence surveillance. we had a number of comments and proposals in the judiciary committee to improve these provisions, but the intelligence community has told us that fairly obviously we don't have the components, several senators, know it what you do, so they do not need changes. until they are critical to our counterterrorism efforts. congress shouldn't tinker with them at all. we should simply trust you to use them the right way, and they shouldn't be made permanent. i don't think that's wise.
i think there should be some said provision that we should actually debate them. in a free and open society. now, and we have information recently declassified by the director of national intelligence, and i'm not going into questions of whether he contradicted himself in a capital ventures, but taking what he is recently declassified editors section 702 said was critical to disrupting the zazi case in new your city. but it's not clear the data and collected pursuant to section 215 of the patriot act was similarly critical or crucial. so general alexander, let me ask you, aside from these two cases, is the intelligence can capture economic times phone records of change through section 215 of the patriot act were critical to
discover and description of terrorist threats? >> i don't have those figures today -- >> are those figures are available to? >> we're going to make those figures available. >> house in? >> over the next week. it would be our intent to get those figures out. i've talked to the intel committee on that yesterday. i think it's important in a -- >> you talk to the intel committee about this yesterday but you didn't have the figures yesterday? >> i get an approximate number to them, classified, but it's dozens of terrorist events that these have helped prevent. >> dozens. we collect millions and millions and millions of records through 215. but dozens of them have proved crucial, our critical, is that right?
>> both here and abroad, and disrupting or computing to the destruction of terrorist attacks back dozens of us know seven critical? >> that's correct. >> would you give me the specific even if it has declassified, the specific cases you're talking about? >> we will but we're going through the intel committee to do this. tomorrow i will give as clear as we have come precisely what we've done on each of those. and the reason that i want to get this exactly right, senator, is i want the american people to know that we are being transparent in here and being exact -- >> no, no. you're not given to the american people. you're getting it to specific members of congress, is that current? >> there's two parts. weekend declassify, that's easy. but i think also for this debate what you're asking, an perhaps i misunderstood this but i thought you're also asking what we could put out unclassified. and to think it would be to do
both. as you said that -- >> you can do that within a week of? >> that is our intent. i am pushing for that, and perhaps faster but if i don't get any kicks from behind me spent if you don't get any what? >> kicks from the cable guy meet or doing the work because we do want to do this right. and it has to be vetted across the community so that what we give you, you know is accurate and we have everybody here, especially between the fbi and the rest of the intel community can say this is exactly correct. >> dni clapper said section 702 was critical discovery and destruction. is that correct? >> that is correct. in fact, not just critical, it was the one that developed the lead on. so i would say it was the one that allowed us to know it was happening. >> that is different than section 215?
>> that is different than section 215. >> phone records, 70 to -- >> i could explain to us. >> go ahead. >> i do think it's important we get this right, and i want american people to know we're trying to be transparent here and protects the livers of privacy but also the security of this country. on the new york city one, the zazi case, it started with seven '02, set of information based on operatives overseas. we saw connections into a person in colorado. that was passed to the fbi. the fbi determined who that was, zazi, and phone numbers that went to that. the phone numbers on zazi were the things that then allowed us to use the business records, fisa, to go and find out connections from zazi the other players are out communities, specifically in new york city.
subsets of those -- >> i spent i think 215 is critical in corroborating and helpless -- >> was a critical insight he? >> not to zazi because the first part to zazi went to the 702. >> and heavily -- headley, 702 or 215 critical? >> 702 on headley, and some on business record fisa for corroborating. and i think it's important to understand because this is an issue that i think will be part of the debate. and i'll put on the, senator, also the boston, i think we need to walk through that so that what we have on the business record, fisa, what we have on 702, what you debate, the fact that we can give you, is what we do with that, how we take that to the fbi, if we took away what we could not do and is that
something that when we look at this woman security perspective -- >> in boston to talk about the marathon case with the fbi could have done was pass on information to the boston authorities. they said they did not. that might've been helpful, also. but my time is up there i mentioned this only because before it is brought up in the judiciary committee will be asking some very, very specifics spent if i could, i'd want to make sure we are clear on one point. when i say dozens, what i'm talking here is that these authorities complement each other in helping us identify different terrorist actions and help disrupt and. they complement each other. so wha what you're asking it to statstate unequivocally that a b contributed solely to the. the reality is the work together. we've got to make that clear to you spent i will be waiting to see the specific examples either in open unclassified fashion. >> senator cochran.
>> madam chair, thank you. let me first ask general alexander, in testimony that was received by the armed services committee, there was a discussion about how to provide incentives the talented military personnel who might be interested in the cybersecurity field to become involved. i know it's hard to contemplate, wave a magic wand and have all the talented people available in the right places with the right responsibilities. what do you see as a first step in trying to get and infrastructure of leadership organized appropriately to carry out these missions? >> senator, thanks. i think the most important part top to bottom is the training. coming up with a clear training
program, which we've done with the services and with nsa, to develop a set of standards. standard. i think the training in and of itself helps us build a great cyber force. and it's that training for the leaders we're training the staff officer level, at the team level, all the way down to the individual operator. and we are standardizing that trading amongst the services and between nsa and cyber command. i think raising the standards of has a couple of benefits. the soldier sailor edmond marines and civilians a common distilled get great train. it's something that they look forward to and the operations that they too are significant. i think they really feel good about what they're able to do for our country. so from my perspective it starts with training and building that kind of a force. you mentioned incentives, senator, if i could. i think incentives is going to play a key part in this. as incentive pay for languages plays a key part, i think incentives for our cyber force
is also going to play a key part. we've had discussions with services about how to start there. we don't have that program yet but that's something we're looking at. >> there's also a question about whether or not the department of defense has the resources to maintain a number of cyber test ranges across its services and agencies, again, in the training phase. there has to be, they have to be exercises with conventional weapons and other weapons systems. could you share with the committee what your thoughts are about cyber ranges so that you have an opportunity to dedicate certain areas exclusively for these purposes? >> senator, that's a great question and one that we're putting a lot of effort into.
because they do think we do need to bring the ranges together so we have a joint approach to this. one of the things that i would point out, the service account has played a cyber defense exercise together. this gets into your range issue, and when you look at, so how do you defend your networks in a way, they sort of compete against each other forcing u.s. the most defensible network. when you think about that, in a cyber range what you want people to do is to practice their tactics techniques and procedures and esther arvidson nothing that happens. it only happened inside that so they can learn. we've seen that in another site, a national training center and other things are great places for the. we need to do the same here so those better thing our network know what the averages are going to do and are prepared for all those contingency. it helps raise a. i think bringing the ranges together ensures that they're offering at the right level as a joint team. >> myf iforming that last
week we received a notice, our committee received a notice that about half of nsa's personnel in the cyberthreat center could be furloughed as result of sequestration. now, that's a fine how do you do, welcome aboard. has there been any attention given to what you're going to do, somebody jumps up and says, we've been sequestered, your funds have been sequestered? >> so we aborted this across the defense department so the sequestration for all the military has been standardized across all the departments. the nsa on the intel side is not there, but all of cyber command, our civilians will be sequestered. right now that has 11 day, or one day a week for the last 11 days of the. that has a significant impact on
>> both sides of the dome to be able to do this. i just would like to share with the committee the order to. we're going to go to durbin, then johanns, merkley, collins, tom udall, senator coats, senate landrieu and, senator feinstein, you came before the testimony started, so instead of alternating, we'll go right to you, then we'll go to senator boozman and senator pryor, that's our order of our lineup. durbin, johanns, merkley, collins. senator durbin. >> thank you, madam chair. and thanks as well to senator mikulski for bringing the cyber issue into sharp focus for the entire senate with her bipartisan briefing. i was on the intelligence committee at the time of 9/11. i saw what happened immediately afterwards. there was a dramatic investment in intelligence resources for our nation to keep us safe and a
dramatic investment in the personnel to execute the plan to keep us safe. i trust it, and i still do, that we were hiring the very best, trusting them to not only give us their pest in terms of -- their best in terms of knowledge, but also loyalty to our country. i'd like to ask you about one of those employees who's now in a hong kong motel, and what we know about him is as follows: he was a high school dropout, he was a community college dropout, he had a ged degree. he was injured in training for the u.s. army and had to leave as a result of that, and he took a job as a security guard for the nsa in maryland. shortly thereafter, he took a job for the cia in what is characterized as i.t. security in the guardian piece that was published. at age 23 he was stationed in an
undercover matter overseas for the cia and was given clearance and access to a wide array of classified documents. at age 25 he went to work for a private contractor, and most recently worked for booz allen, another private contractor, working for our government. i am trying to look at this resumé and background -- it says he ended up earning somewhere between 122,000 and $200,000 a year -- i'm trying to look at the resumé background for this individual who had access to this highly classified information at such a young age with limited educational and work experience, part of it as a security guard, and ask you if you're troubled that he was given this kind of opportunity to be so close to important information that was critical to the security of our nation?
>> i do have concerns about that, over the process, senator. i have great concerns over that. they, the access that he had, the process that we did, and those are things that i have to look into and fix from my end and that across the intel community director clapper said we're going to look at that as well. i think those absolutely need to be looked at. i would point out that in the i.t. arena, in the cyber arena, some of these folks have tremendous skills to operate networks. that was his job for the most part. 2009-'10 was an i.t. system administrator within those networks. he had great skills in that area. but the rest of it, you've hit on the head. we do have to go back and look at these processes, the oversight and those. we have those, where they went wrong and how we fix those. >> let me shift to another topic raised by senator leahy, section
215. ten years ago i first introduced legislation known as the safe act, a bipartisan bill to reform the patriot act. my co-sponsors included senators chuck hagel, john kerry and barack obama. my most significant concern with 215 was that it would be used to obtain sensitive personal information of innocent americans who had no connection to any suspected terrorism or spy activity. when the patriot act was up for reauthorization in 2005, i worked to establish a new standard for 215, and under this standard the fbi would have broad authority to obtain any information, even tangentially, connected to a suspected terrorist or spy such as the examples used in the zazi case. could have led to phone information on any suspect. but under my provision, innocent americans with no connection to
any of these activities or suspects would be protected. the republican-controlled senate amoved my reform to 215 unanimously. however, the bush administration objected, it was removed in the conference committee. 2009 i tried again with no success to put this protection of innocent americans back into the patriot act. now that the cloak has been lifted by media reports that the nsa obtained phone records of millions of innocent americans with no connection to terrorism, the data includes the numbers of both parties to the calls, the location of the callers, the time and duration of the calls. i've been brieferred on these programs -- briefed on these programs, and i obviously won't discuss details here. but it appears to me the government could obtain the useful information we need to stay safe and still protect innocent americans. my question to you is this: section 215 can be used to obtain, quote, any tangible thing, closed quote, that could
include -- could include -- medical records, internet search records, tax records, credit card records. last year the government filed 212 section 215 orders. that's an increase from 21 such orders in 2009. so clearly this authority is being used for something more than phone records. so let me ask you, do you think section 215 getting you authority to secure tangible things could include the categories of information that i just listed? >> we don't, i don't use those, so i'm not aware of anything that goes that -- that would be outside of nsa. all we use this for today is the business records, fisa. i would point out and just want to characterize something that you said here. as you know, this was developed -- and i agree with you, we all had this concern coming out of 9/11. how are we going the protect the nation? because we did get
intercementingsing on -- intercements on -- [inaudible] but we didn't know where he was. and because he was in the united states, the way we treat it is he's a u.s. person. so we had no information on that. and if we didn't collect that ahead of time, we couldn't make those connections. so what we create is a set of data, and we put it out here. and then only under specific times can we query that day. and as you know, senator, every time we do that, it's auditable by the committees, by the justice department, by the court and by the administration. we get oversight from everybody on this. >> i'm over my time, but i want to -- here's the point. if you knew that a suspect had made a call into air code 312, the city of chicago, it certainly defies logic that you need to collect all of the telephone calls made in the 312 area code on the chance that one
of those persons might be on the other end of the phone. now, if you have a suspected contact, that, to me, is clear. i want you to go after that person. >> right. >> what i'm concerned about is the reach beyond that that a affects innocent people. >> so we agree at least on that part. and the next step, i think, in the debate that we actually need to talk about so what happens if you don't know he's in 312 yet? and so something happens, and now we say who was he talking to? so let's take -- [inaudible] you had authorized us to get his phones in california. but he was talking to the other four teams. under the business record fisa because we had stored that data in a database, we now have what we call reasonable suspicion. we could take that number and go backwards in time and see who he was talking to. and if we saw there were four other groups, we wouldn't know who those people were, we'd only
get the numbers. we'd say this looks of interest and pass that to the fbi. we don't look at u.s., the identities of it. we only look at the connections. >> i'm way over time. i'm not going to dwell on it. you've just given a clear illustration where you had specific information about telephone contacts which i don't quarrel with. what i quarrel with is collecting all of the information in california on telephone records to try to find that specific case. that, to me, seems overly broad. >> thank you very much. senator johanns? >> general alexander, i want to talk to you about cyber command, but senator durbin has raised a very interesting question. be and let me just follow up on this. would this lead, the scenario that he has laid out, would it lead to a telephone records search for all of omaha or -- walk us through that. >> so the methodology would be
let's put into a secure environment call detail records. these are to-from records. and it is a selected time. so we don't know anything that's in there, we won't search that, unless we have some reasonable, articulate suspicion about a terrorist-related organization. if we see that, we have to prove that we have that. then given that, we can now look and say who was this guy talking to in the united states and why. >> and so you could search across the breadth of telephone records? >> no -- all you're looking for on that is, so, who did he talk to? >> yeah. >> so the system just gives us back who he was talking to. but if you didn't collect it, how do you know who he was talking to? so the issue really becomes if you don't have the information -- so i don't give you any connections, i just give you a number, find who he's talking to, you don't have the
information. so you see the issue is, i mean, this was the debate. you bring it up because this came up ten years ago. how do we do that? how do we solve this problem? we want to protect civil liberties and privacy, we do. and we want to protect the country. so the thought was a reasonable approach that we all agreed on -- congress, the courts the, the administration -- was we'll put this in a way that we have tremendous oversight by the court. and so every time your people, a small set of those, can go in -- they have to have a reason to no go in and look at the data. and when they get something out, they have to look at it and say does this mean reporting guidelines and put that in a report. only a few reports a year go out on that, handfuls. >> does this extend beyond telephone records? for example, could you check and see what that person is googling? could you check and see who that person is e-mailing?
>> so there's two parts of your question here. so going to the next step, once we identify a person of interest, then it goes to the fbi. the fbi will then look at that and say what more do we need to now look at that individual themselves. so there are issues and things that they would then look at if passed to them. >> so the answer to the question is, yes. yes, you could -- i mean, you can get a court order to do that. >> so in either case -- >> but would that take a court order? >> it would. to do any kind of search in these areas on a u.s. person, you have to have a court order. >> so now you've gotten into phone records, you've gotten into who they might be googling, you've gotten into who they might e-mailing. what else do you feel that you can get? >> so i'm not sure of your question. on a terrorist acting in the
united states -- >> well, you don't though if it's a terrorist yet. you've got this reasonable suspicion which isn't even probable cause. you've just got this kind of up easy notion, this feeling -- uneasy notion, this feeling that something is happening here. so that's -- >> wait, wait. let's just stop here a minute. we're not going inhibit your questions. but i think we need to clarify that the activity on which you're operating, general alexander. we get into probable cause, a lot of these that are absolutely important in debate, and, senator -- [inaudible] but you will be functioning also with a warrant. senator feinstein, did you want to clarify -- if we could, and i'm going to give you more time. senator johanns, you will get more time. >> if i may quickly, senator, it's my understanding, you have the metadata, you have the records of what appears on a phone bill. and if you want to go to the
content, then you have to get a court order, the same thing you would do in a criminal case. you'd have to get a court order that would permit you to collect the content of the call. you can ask him if that's right or wrong. >> but it's correct. >> but, i mean -- >> and i assume that. but i'm not talking about content at this point. i'm not asking if you can read somebody's e-mails. i'm assuming at some point there would be a legal standard by
which you could do that. being a lawyer, i know that. what i'm only getting to is you've identified for us that you can get phone contacts. i'm asking can you get google contacts, can you get e-mail contacts? i'm not talking about reading the e-mail or seeing what they're saying back and forth. i'm not at that point. but what i worry about is how
far do you believe this authority extends? can you get google contacts? can
you get e-mail contacts? and, again, i'm not asking about reading the e-mail. >> so i think there's a couple things here that i want to make sure we've got. the br fisa only talks about phone contact, phone metadata. that's all that program talks about. so any program that we have -- and, senator feinstein, if you want to get that content, you'd have to get a court order. in any of these programs, you know we have programs for doing that with oversight by the congress, by the courts and by the administration. so hi concern in all this is that i think that this is an area where we have to give you both the details, and i think we need this for the american people. they need to understand it so they can see what we're doing and what the results of it.
i do think that's important. i also believe, you know, we had this debate several times, and senator durbin brought it up, from 2001 on. and this is one now where we need to bring out because of these leaks the rest of the story, show what we do, what it protects the country from, and have the debate. does it make sense. and so that's part -- in order to do that, i think what we have to give you is the rest of that data. tomorrow we'll put that in a classified session, but the intelligent would be to try to get as much out public so that everybody has the information where we can. and the reason that i hesitate a little bit here is i don't want to make a mistake that causes statements that i have for our country to lose some form of protection, and we get hit with a terrorist attack because i made that mistake. >> yeah. i, and i thank the chair for the
additional time, and i'll just, i'll wrap up with
a comment. the concern here, the american public is fearful that in this massive amount of data you get that there's, the ability of the federal government to synthesize that data and learn something more than maybe what was ever contemplated by the patriot act. that would be number one. the second thing is the more personal issue, and it kind of gets into some of the concerns about cyber command, and that is you're in this hugely unique role. we've always had this view of separating the civilian leadership, politically elected, from the military leadership. and yet you've got this dual hat. and it creates a concern not
has been waiting. what we're now moving into is a domain that is not the parameters of in this hearing. though this senator will not inhibit any senator from asking any question they want. i want to remind the senators that tomorrow in the feinstein hearing many of these can be filed, and i hope it's a learning experience that when you go to feinstein, your questions will even be, you know, as cogent and comprehensive as they are here today. so, senator merkley, we're going to turn to you now. >> thank you very much, madam chair. and thank you, general. and you referred to section 215, and 215 requires for an application for production of any tangible thing. and it says in it that this application must have a statement of facts showing
reasonable grounds that the tack bl things -- tangible things sought are relevant to an authorized investigation. so we have several standards of law embedded in this application; a statement of facts, reasonable grounds, tangible things that are relevant the an authorized investigation. now, as it's been described in this conversation and in the press, the standard for collecting phone records on americans is now all phone records all the time all across america. how do we get from the reasonable grounds relevant, authorized investigation, statement of facts to all phone records all the time, all locations? how do you make that
law been met? >> so this is what -- [inaudible] very deliberate process where we meet all of those portions of the 215. we lay out for the court what we're going to do. and to meet that, what you just said, the answer is we don't get to
look at the data -- >> let me stop you there, because these are requirements to acquire to analyze the data,o acquire the day. this is the application to acquire the data. is here i have my verizon phone, my cell phone. what authorized investigation gave you the grounds for acquiring my credit card data? -- my cell phone data? >> i want to make sure i get this exactly right.
you know, i think on the legal standards and stuff on this part here, i think we need to get department of justice and others, because it is a complex area. and you're asking a specific question. i don't want to shirk that, but i want to make sure i get it exactly right. and so i do think what we should do is part of perhaps the closed hearing tomorrow walk through that with the intent of taking what you've canned and seeing if we can -- asked and seeing if we can get it declassified and out to the american people so they can see exactly how we do do it, because i do think that should be answered. >> general, thank you, and let me fill in the middle piece here -- >> senator merkley, i'd like to help you out. i think senator merkley has asked an excellent question x you want to get it right. and the answer, i would suggest, should be in writing that way you get it right, and he gets his answer. how does that sound? >> we'll take that for the record. [laughter] >> i've asked that that question get answered tomorrow at the
hearing by justice, senator merkley, exactly as you have delivered the question. >> okay. but either way, senator merkley should get his answer, and i would suggest perhaps both in writing, your hearing and into his hands. >> i thank the chair, both chairs. and if i can elaborate on the piece i would like answered, is that okay, madam chair? >> [inaudible] >> thank you. >> it's your time. >> in between these two pieces, a fisa court gives an interpretation of the plain language of the law. their interpretation is what translates the standards in the law into what is governable in terms
of what you can do. i had an amendment last december that said these findings of law that translate the requirements that are in the law into what is permissible needs to be declassified so we can have the debate. i believe that what you just
said is you want that information to be declassified that explains how you get from these standards of law to the conduct that has now been presented publicly. did i catch that right, and do you
support the standards of law, the intentions of the fisa court of -- the interpretations of the fisa court, the plain language, to be set before the american people so we can have this debate? >> i think that makes sense. i'm not the only decision maker in the administration about this process. i want to make sure i put that exactly right, and that is i don't want to jeopardize the security of americans by making a mistake and saying, yes, we're going to do all that. but the intent is to get the transparency there. so, senator, i will work hard to do that. and if i can't do that, i will come back to you and tell you why, and then we should have that discussion and run it out. and i defer to the chair of the intel committee, but i think
that's reasonable to get this out. now, having said that, i'm not a -- i don't have the legal background that perhaps you have in this area. i want this debate out there for a couple reasons. i think what we're doing to protect american citizens here is the right thing. our agency takes great pride in protecting this nation and our civil liberties and privacy. and doing it in partnership with this committee, with this congress and with the courts. we have everybody there. we aren't trying to hide it.
we're trying to protect america. so we need your help in doing that. this isn't something that's just nsa or the administration doing on its own. this is what we, that our nation expects our government to do for us. so we ought to have that debate. we ought to put it out there, and we've got to put those two together. so i just want to put that one caveat there. and if i can get it, if i can make it happen, i will. >> general, i thank you for your
expression of support. i also want to thank chair feinstein who helped develop and sent a letter expressing this concern about this secrecy of the interpretations of the fisa court. i do think it's time that that become understandable in public because otherwise how in a democracy do you have a debate if you don't know what the plain language means? i do have concerns about that translation, and i'll continue this conversation. thank you. >> senator collins. >> thank you, madam chairman. madam chairman, i'm actually going to ask a question about computer security, but before i do so, i do want to give general alexander a chance to answer a very quick question that has to do with americans' concern about their own private computer security and privacy.
i saw an interview in which in joen-- mr. snowden claimed he could tap into virtually any american's phone or e-mails? true or false? >> false. i know of no way to do that. >> thank you. i just wanted to clarify that, because perhaps that's one issue we could put to rest. now let me switch to the computer security question. >> where oh, boy. [laughter] >> in the president's budget be, it is mentioned that the nation has four top cyber risks, and the first one listed is one that's been of great concern to me since we produced the bill last year that, unfortunately, could not get pass past a
filibuster, and that is a tax that are aimed at our critical infrastructure. and secretary beards, i'm going to ask you this question. the general has alluded to the fact that much of our critical infrastructure is owned or operated by the private sector. in fact, it's 85% that's in the private sector. and our fbi witness has talked about the i-guardian program which encourages private industry partners to report cyber incidents to the government in realtime. our legislation last year had a requirement that the owners and operators of critical infrastructure -- not all infrastructure, critical infrastructure -- would be
required to report major cybersecurity incidences. does the administration still support mandatory reporting in such cases? >> senator, that was our position then, and that remains our position at this point in time. obviously, we're prepared to work with the congress. you all ultimately write the legislation, but that remains the administration's position. >> thank you. in that legislation we did pay attention to the need for a more expert cyber work force and, boy, this latest account which senator durbin did such a great job of going through the resumé of this individual just underscores how much work there is to be done in making sure that whether it's public ec to have or private sec to be --
public sector or private sector that we have a well-vetted, well-qualified cyber work force. i would like to hear from all four of you on whether you are having difficulties in recruiting individuals who have the skills that you need and doing the appropriate vetting of them so that we can avoid having the hiring of a young high school dropout/community college dropout, didn't complete his military service, young person with so little experience being given access to so much class toyed information -- classified information. and, general alexander, we'll start with you and then just go down the panel. >> well, senator, i'd just like to state, first, that in the military we are going to hire young folks out of high school,
who graduate from high school to work in this area. and the key will be the training that we give them. now, ideally we'd like to get four years out of a top knowledge, topnotch engineering school for some of the military positions, but we won't get that. so what we have is a responsibility to train them, bring them into the force and train them. and we have a program. but it takes several years to get somebody trained in this area, as you know. so, in effect, what we're running is a cyber college for many of our young enlisted folks to get them to the requisite skills. on the nsa side, we're able to hire more college graduates into the government side of that. what i need, i think, is greater scrutiny. what i need to go back and look at is what am i getting with my contract? support, and what are their capabilities, and how do we manage that from a government perspective. so that's something i have concerns about and i've got to go back and address. >> secretary beers.
>> senator, we have a major initiative underway, as you're well aware. we've defined our cyber work force, we are matching the positions with the skill set that is required to serve in those positions. we are also in the process of looking to hire another 600 individuals to augment that 1500-person work force. we have a series of programs, one with community colleges where we're looking to find people who have taken the correct, appropriate courses at the community college level who we can hire as beginning work force be members and train them up. we also have a program in conjunction with nsa that goes to colleges and universities that have centers for excellence that provide us with topnotch four-year graduates. and then we have an effort to reach out to the private sector
to find individuals there. this is, i think we have an excellent work force, but we have as you well know a provision that was in the bill that you worked on -- >> correct. >> and that we would like to see in any cyber legislation that gives us some assistance in terms of both recruiting and retaining that kind of a work force which would allow us comparable pay and benefits to what nsa is able to offer to its work force. thank you. >> thank you. i foe my time has -- i know my time has expired, so i'm going to ask the other two witnesses to submit their answers for the record. but i think the whole work force be issue is absolutely critical. we did have that as an important part of our bill last year. thank you, madam chair. >> i think you absolutely right, senator collins, and thank you for asking a question actually on the topic, though it is our security. and we're going to turn now to
senator udall, but just to add to that as we go to senator udall, we keep hearing snowden had skills. well, maybe he did. you know, but just because you're a swimmer and you're a champion swimmer doesn't mean we ought to headache you a navy seal -- make you a navy sale. so i'll leave it at that. senator udall? >> thank you, madam chair, and i thank the entire panel for their service to the country in these very difficult times. and, first be, i'd like to welcome dr. pat gallagher, although his career took him away from albuquerque, dr. gallagher is a native of new mexico, and i want to recognize him for his leadership at nist and his commitment to public service. pat, it's good to have you here today. american citizens' businesses and government agencyies face serious cyber threats, and you've talked about some of these here today. personal data, trade secret ands and national security secrets
are at risk from intrusion by independent hackers and foreign governments. and i've supported cybersecurity legislation in the senate, and i support funding for our cybersecurity defense. but the elephant in the room today here is, and we've been talking about it some, is that many americans are also becoming more concerned about what their own government is doing with domestic surveillance. last week we learned of widespread collection of americans' phone records under section 215 of the patriot act, also the massive scale online surveillance through the prism system conducted under fisa section 702. i want to let you know i voted against the patriot act in 2001 and the fisa amendment act in 2008. i've also voted against their reauthorizations since then. several of us attempted to add privacy protections to these
laws but faced strong resistance, as senator durbin indicated. today i'm sending a bipartisan letter to the privacy and civil liberties oversight board asking them to make it a priority to investigate the bulk phone records collection and the prism program to determine whether they, number one, are conducted within the statutory authority granted by congress and, number two, take the necessary precautions to protect the privacy and be civil liberties of -- and civil liberties of american citizens under the constitution. the board was created by congress based on a relation of the 9/11 commission, but it has taken years -- many of you realize this and know this -- years to get a full membership in a chairman. i've been working to get this board operational since i was in the house, and i believe it can provide an important check against civil liberties abuses.
the, richard clark who was the counterterrorism aide under three presidents, i believe, just wrote an article recently on this and suggested we won't have the problems today if we had stood up this board much more quickly. general alexander, will the nsa cooperate with any investigation conducted by the privacy and civil liberties oversight board into the agency's collection and analysis programs? >> senator, we will. and i think, in fact, we met -- my deputy met with the board yesterday and actually briefed them for a couple of hours on both programs so that they understood. and be i think, i don't know if you've gotten feedback from that, but from hi understanding is -- from my understanding is i think it went well. i think you bring up a very important point here because i do think what we're doing does protect american civil liberties and privacy.
the issue is to date we've not been able to explain it because it's classified. so that issue is something that we're wrestling with. how do we explain this and still keep this nation secure? that's the issue that we have in front of us. and be -- and so you know that this was something that was debated vigorously in congress, both the house and the senate, within the administration and now work for the course. so when you -- for the court. so this is not us doing something under the covers. this is what we're doing on behalf of all of us for the good of this country. now what we need to do, i think, is to bring as many facts as we can out to the american people. so i agree with you. but i just want to make that clear because from the perspective is that we're trying to hide something because we did something wrong. we're not. we want to tell you what we're doing and tell you that it's
right and let the american people see this. i think that's important. but i don't want to jeopardize the security of our country or our allies. so that's what we have to weigh this what we look at what we're going to declassify to allow this very public debate. >> general, i very much appreciate your answer, but it's very, very difficult, i think, to have a transparent debate about secret programs approved by a secret court issuing secret court orders based on secret interpretations of the law. now, i'm going to ask, i know there are many other questions here, and i'm going to ask the ones in closed session when we get together later in the week. i have several other questions on cybersecurity, but i see my time has expired, and so i will submit those for the record. but thank you very much for your answers, and i very much appreciate you meeting with the board and briefing them on what
you're doing. i think that they're a good counterbalance in terms of what's going on here in terms of asking questions and them being able to, i hope, have the credibility of the american people to be able to answer some of these questions. thank you. thank you, madam chair. >> we're now going to turn to senator coats, but before we do, i want to respond to a tweet about me from rosie gray. quote: senator barb is trying hard to keep the other senators from asking programs about mining programs. i want to say to rosie and to others who might read from rosie there is no attempt here to muzzle, stifle any senator from asking any line of question. um, and so we have an open hearing. the purpose of the hearing was on the enduring war of
cybersecurity. while we might be concerned about data mining and who's reading our phone records, etc., we're also concerned about stealing the cyber fraud that's going on against our senior citizens, our identity theft, stealing our cures for cancer that are pending over at fda. so we're here on cyber, but any senator can ask any question at this hearing that they want to. so, rosie, it's an open hearing. hi. look forward to keeping in touch. [laughter] senator coats? >> well, i want to send a message to rosie also -- [laughter] as a member of the other party, senator mikulski, chairman of this committee, has been extremely tolerant of our diversion from what the purpose of what this appropriations hearing was. this is the appropriations committee. we, our purpose is to determine what kind of resources,
financial resources our agencies need to address critical issues facing our country, and we've diverted -- thanks to the tolerance of the chair -- so a critical question, but one that, as general alexander said is scheduled to be and will be thoroughly discussed with every member of congress and with the public to the extent that that's possible. general, i appreciate your answer to senator udall's question, the last question. i -- you're walking, you're walking a very difficult tight rope here because there are demands that you release previously classified information to not just members of congress, but to the general public. and without -- and if you don't do that, this frenzy of
mischaracterization of these programs will continue in the public. and so you're caught between a rock and a hard place. i regret that. i've been urging my colleagues before they draw a conclusion and go public with that conclusion they learn about the program. because the more you learn about the program, the more you realize the enormous effort that has been made to respect the privacy and civil liberties of americans. and the hurdles you have to go through to get the most minimalist of information. i think as the public learns more about what is happening here, you know, we take all the phone records all the time, and the public interprets that as meaning everything that has been said over a phone is stored somewhere, and you can go in and retrieve it, or there can be abuse of that. you've tried to clarify that a
number of different times in terms of what you collect and what you don't collect and how you have to go through a legal process in order to even begin to ascertain information that is necessary for you to come to some conclusion about whether or not this country's about to be attacked by terrorists. and so i just -- well, let me ask you this question: given the fact that this issue has swept across the country, and we're in a position where we have to disclose more about it in order to calm the public misperception of what it is, are there consequences? do we have to look at both sides of this question? one, being transparent, addressing civil liberties but, two, the importance of keeping some missions and some
activities in a classified manner so that those that are intending to do us harm don't learn about this and, therefore, make adjustments to bypass the very methods that we have to potentially prevention a serious attack against the united states? i'd like you to address that question, particularly in relationship to what you said about 9/11 and perhaps if we had had these programs in place at the time, we could have prevented that. and a little bit more about the consequences of our simply -- as some have suggested -- open this up for the whole world, and the whole world means a lot of people sitting in places where they're trying to determine how they can best attack the united states. >> senator, thank you for the question because that is my concern. great harm has already been done by opening this up, and the
consequence, i believe, is our security jeopardized. there is no doubt in my mind that we will lose capabilities as a result of this and that not only the united states, but those allies that we have helped will no longer be as safe as they were two weeks ago. so i am really concerned about that. i'm also concerned that as we go forward we now know that some of this has been released. so what does it make sense to explain to the american people so they have confidence that their government is doing the right thing? because i believe we are. and we have to show 'em that. and you said it right, we have great people working under extremely difficult conditions to insure the security of this nation and protect our civil liberties and privacy. they do a great job. actually, i would like the american people to know that. because they would be tremendously proud of the men
and women of nsa who have done this for us for the last decade. it is great story. the issue is that we then have to debate is how much do we give out, and what does that do to you are future security? to our future security? that's where the real debate is going to take place, because that's the issue that is now before us. there is water, broken glass and everything else on the floor. we now can look at that. but what we're going too to havo do as a nation going forward is say what can we do? and that's where congress, i believe, has to stand up on behalf of the american people. some of these are still going to be classified and should be. because if we tell the terrorists every way that we're going to track them, they will get true, and american -- get through, and americans will die. that's wrong. and our allies. we've got to come up with a way of doing this. and, you know, i thought the great part about this program was that we brought congress, the administration and the courts all together.
we did that. that's what our government stands for under the same constitution. we follow that constitution. we swear an oath to it. so i am concerned, and i think we have to balance that. i will not, i would rather take a public beating and people think i'm hiding something than to jeopardize the security of this country. be now, having said that, some of this is out there, and it is right that we have that debate. and so what makes sense to put out there so that people will know what we're doing is right, we ought to do that. and i think that that part will be good for the country. and there's other parts that i think you need to weigh in and say but don't do that. and that's where you, the administration and potentially the courts ought to come together and say so now what do we do. >> thank you. >> thank you. i appreciate that statement. and i think it should be made in the record and published across the nation. >> senator landrieu? >> thank you so much. i'd like to follow up by saying,
general alexander, i'm so proud of you for being in charge of this, because your demeanor through this whole hearing has once again proven to me that you're the right person for this job and the four star that is you wear. indicate a great understanding of the balance that you're trying to achieve. perhaps these facts might support what senator coats and others have been trying to express begin the difficult, important but difficult questioning. u.s. cyber command says there are 250,000 attacks on u.s. government networks every hour. six million a day. and among the attackers are 140 foreign spy organizations. this is what our men and women are up against. we are not in a scrimmage, we are in a war with. it's a very sere issue.
serious issue. and we are way behind the 8 ball, in my view, in terms of allocation of resources. as much as we're struggling to clarify roles and responsibilities and balance this new war that we've never fought before under a constitution that's probably the best and most open in the world. i think they need a little space. secondly, i have every confidence in this chairman to provide leadership. this hearing is one of the best hearings, madam chair, i've ever participated in in the almost 18 years i've been here. i thank you for it. and i have great confidence in senator feinstein who i don't think there's a member of the senate on either party that would question her integrity on this issue as head of our intelligence committee trying to balance the civil liberties representing the state of california which probably has the strongest views on this on any state and the military, which has been engaged in war since the beginning of time but never won like this.
so i just want to say i am very proud of our military and very proud of you, general alexander, and i hope that in the classified hearing that more of this can be brought to light, and i most certainly am going to be explaining this to hi constituents -- to my constituents in the an appropriate, balanced way. but i want to say one other thing to you, mr. beers. your staff is terrific. they briefed me privately yesterday, several briefings. i want to share this and then ask a question. when i asked them to is sort of describe the scope of cybersecurity and the challenge before us, they said, well, senator, somebody's described it like this. they said the department of defense is .mil. it's the coke bottle cap if you think about a coke bottle. it's just the cap of the coke bottle. the federal civilian government which which is .gov and the companies and citizens which is .com is
the entire room the bottle is in. so while all the questions are being peppered to the top of this coke bottle, madam chair, the room that we're in is the battleground that we're fighting in. and it takes huge resources and an unbelievable amount of commitment and compromise between the government and the private sector. so i want to ask the secretary of homeland since that's my, you know -- and i'm very proud to be the chair of the committee -- when the president issued his executive order on improving infrastructure cybersecurity, it required not only you, mr. secretary, but treasury who is not here to come up with a report. that report is due today, 120 days from it. do you have the report? can you comment about when you're going to have it and one
or two of the top findings you're going to be giving to congress i hope sometime soon? >> senator, yes, the report is done. the report has been sent to omb and the white house. i trust that commerce and treasury have also submitted their report on incentives. it will be subjected by omb to an interagency process, and at the end of the process the expectation is to rereese -- release it to you all and the private sector for comment. what we want out of this is to pull together, and we've had workshops to talk about incentives. we had one last week in pittsburgh to draw in the private sector to give us their ideas about incentives to have critical infrastructure adopt the critical, the cybersecurity framework. be -- that report will cover such things as insurance as a possibility, it will cover such
things as certification with some liability protections as a possibility. these are all still ideas that are in a formative stage, and i don't think it's appropriate at this point to make those initial reports public. but the intention of the administration is to make those reports public to you, the congress, and to the private -- >> but not because they're secret, it was because they're incomplete. is that correct? >> yes, ma'am, that is correct. what we need to make sure is that we, that everybody who has a stake in this in the government has an opportunity to comment on it and then to get it back out to you and, you and the private sector. >> okay. my time is up, but i'm going to ask general alexander in writing what his view is the goal of the national guard in cybersecurity for the nation. you know, they play a very interest withing role in our states -- interesting role in our states. i've written you several times about it, i'm going to write to
you again to clarify their role for the record. and finally, the department of homeland security under your leadership, secretary, has awarded a $300,000 grant to the cyber innovation center in louisiana which is starting a very scaleable and proven model to create the cyber warriors of the future, and i look forward to talking with you more about that in conjunction with the chairman. >> thank you, senator landrieu. you, as the chair of the homeland security subcommittee along with senator coats who's your ranking member, i believe, i really would hope you would do your due diligence in getting ready for the bill to pursue this topic, because we covered a lot of topics today. but we really count on you in the homeland security area. senator feinstein. >> thanks very much, madam chairman, and thank you for holding this hearing, and thank all our witnesses for their service to our country.
just to be corrected if i need to be corrected, i would like to just quickly read my understanding of section 215. the section 215 business records provision was created in 2001 in the peat rot act -- in the patriot act, four tangible things; hotel records, credit card statements, etc. things that are not phone or e-mail communications. the fbi uses that authority as part of its terrorism investigations. the nsa only uses section 215 for phone call records, not for google searches or other things. under section 215 nsa collects phone records, it can only look at that first be showing that there is a reasonable,
articulable decision that a specific individual is involved in terrorism actually related to al-qaeda or to iran. at that point the database can be searched, but that search only provides metadata of those phone numbers, of things that are in the phone bill. that person, um -- so the vast majority of records in the database are never accessed and are deleted after a period of five years. to look at or use content of a call, a court warrant must be obtained. is that a fair description, or can you correct it in any way? >> that is accurate, senator. >> thank you. >> thank you. >> thank you very much. let me express my hope once again. you expressed some things to us
yesterday in intelligence. i think it's really very important to show the cases where this has been used and has been effective and do that tomorrow, um, at the classified briefing for all senators. will you do that? >> senator, we're going to bring those. we'll bring the layout of all those that have happened. and we'll work with the interagency as quickly as possible so that the aggregate numbers can be released by you and others so that the nation knows how much this has really done to protect us and our allies. >> good. >> so we'll do both. >> that's appreciated. let me go to cyber. as you know the vice chairman of our committee, saxby chambliss, with whom i work closely, we have been sitting could down tro forge a consensus information-sharing bill in cyber. senator coats, senator collins, senator mikulski are all members of this committee.
and one of the main things is the extent of liability protection, the importance of the domestic portal of entry for cyber attacks. i would like to ask that you describe what is meant by a civilian portal for senators assembled here today and, also, a rationale why this is important for privacy and other reasons. ..